How can I update the cross-realm trust principal password for an existing Amazon EMR cluster?

2 minute read
0

I set up cross-realm trust with an Active Directory domain on a Kerberized Amazon EMR cluster. I need to change the principal password.

Resolution

Amazon EMR creates a krbtgt principal using the cross-realm trust principal password that you specify at cluster launch. This principal is stored in the key distribution center (KDC) on the master node. It looks similar to the following: krbtgt/ADTrustRealm@KerberosRealm

To update the cross-realm trust principal password:

  1. Connect to the primary node using SSH.

  2. Open the kadmin.local tool:

    sudo kadmin.local
  3. List all principals to find the principal that you want to update (for example, krbtgt/MYADDOMAIN.COM@MYEMRDOMAIN.COM):

    list_principals
  4. Run the following command to update the password for the cross-realm trust principal. In the following example, replace krbtgt/MYADDOMAIN.COM@MYEMRDOMAIN.COM with your principal.

    change_password krbtgt/MYADDOMAIN.COM@MYEMRDOMAIN.COM
  5. Exit the kadmin.local tool:

    exit
  6.  To confirm that the new password works, obtain a Kerberos ticket for an Active Directory user and then list HDFS files. For example:

    kinit myaduser@MYADDOMAIN.COM
    hdfs dfs -ls /tmp

Related information

Tutorial: Configure a cross-realm trust with an Active Directory domain

Cross-realm trust

How can I renew an expired Kerberos ticket that I'm using for Amazon EMR authentication?

AWS OFFICIAL
AWS OFFICIALUpdated 5 months ago